Integrate PHP-Aegis and Sanctify-PHP libraries

.github/workflows/security-analysis.yml

@@ -0,0 +1,180 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Jonathan
+
+name: Security Analysis
+
+on:
+  push:
+    branches: [ "main", "develop" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  phpstan:
+    name: PHPStan Static Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.2'
+        extensions: mbstring, intl
+        tools: composer, phpstan
+
+    - name: Cache Composer packages
+      uses: actions/cache@v4
+      with:
+        path: vendor
+        key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-php-
+
+    - name: Install dependencies
+      run: composer install --prefer-dist --no-progress
+
+    - name: Run PHPStan
+      run: vendor/bin/phpstan analyse --level=5 --error-format=github includes/ admin/ wp-plugin-conflict-mapper.php || true
+
+  wpcs:
+    name: WordPress Coding Standards
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.2'
+        extensions: mbstring
+        tools: composer, cs2pr
+
+    - name: Cache Composer packages
+      uses: actions/cache@v4
+      with:
+        path: vendor
+        key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-php-
+
+    - name: Install dependencies
+      run: composer install --prefer-dist --no-progress
+
+    - name: Run PHPCS
+      run: |
+        vendor/bin/phpcs --standard=WordPress --extensions=php \
+          --ignore=*/vendor/*,*/node_modules/*,*/tests/* \
+          --report=checkstyle \
+          includes/ admin/ wp-plugin-conflict-mapper.php uninstall.php | cs2pr || true
+
+  security-patterns:
+    name: Security Pattern Check
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Check for dangerous patterns
+      run: |
+        echo "Checking for dangerous PHP patterns..."
+
+        # Check for eval usage
+        if grep -r --include="*.php" "\beval\s*(" includes/ admin/ wp-plugin-conflict-mapper.php 2>/dev/null; then
+          echo "::warning::Found eval() usage - review required"
+        fi
+
+        # Check for unescaped output
+        if grep -r --include="*.php" "echo\s*\\\$_" includes/ admin/ 2>/dev/null; then
+          echo "::error::Found unescaped superglobal in echo"
+          exit 1
+        fi
+
+        # Check for SQL without prepare
+        if grep -r --include="*.php" '\$wpdb->query\s*(\s*"' includes/ admin/ 2>/dev/null | grep -v "prepare"; then
+          echo "::warning::Found potential SQL without prepare()"
+        fi
+
+        # Check for missing ABSPATH
+        for file in $(find includes/ admin/ -name "*.php" -type f); do
+          if ! head -20 "$file" | grep -q "defined.*ABSPATH"; then
+            echo "::error::Missing ABSPATH check in $file"
+            exit 1
+          fi
+        done
+
+        echo "Security pattern check passed"
+
+  strict-types:
+    name: Strict Types Check
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Check for strict_types declaration
+      run: |
+        echo "Checking for declare(strict_types=1)..."
+        missing=0
+
+        for file in $(find includes/ admin/ -name "*.php" -type f); do
+          if ! head -20 "$file" | grep -q "declare(strict_types=1)"; then
+            echo "::warning::Missing strict_types in $file"
+            missing=$((missing + 1))
+          fi
+        done
+
+        if [ $missing -gt 0 ]; then
+          echo "::warning::$missing files missing strict_types declaration"
+        else
+          echo "All PHP files have strict_types declaration"
+        fi
+
+  # sanctify-php analysis (when available)
+  # Uncomment when sanctify-php binaries are available
+  #
+  # sanctify:
+  #   name: Sanctify-PHP Analysis
+  #   runs-on: ubuntu-latest
+  #
+  #   steps:
+  #   - name: Checkout code
+  #     uses: actions/checkout@v4
+  #
+  #   - name: Setup Haskell
+  #     uses: haskell-actions/setup@v2
+  #     with:
+  #       ghc-version: '9.4'
+  #       cabal-version: '3.8'
+  #
+  #   - name: Cache Cabal packages
+  #     uses: actions/cache@v4
+  #     with:
+  #       path: ~/.cabal
+  #       key: ${{ runner.os }}-cabal-${{ hashFiles('**/sanctify-php.cabal') }}
+  #
+  #   - name: Install sanctify-php
+  #     run: |
+  #       git clone https://github.com/hyperpolymath/sanctify-php.git /tmp/sanctify-php
+  #       cd /tmp/sanctify-php
+  #       cabal update
+  #       cabal install
+  #
+  #   - name: Run sanctify-php analysis
+  #     run: |
+  #       sanctify analyze --format sarif ./includes/ ./admin/ ./wp-plugin-conflict-mapper.php > sanctify-results.sarif
+  #
+  #   - name: Upload SARIF results
+  #     uses: github/codeql-action/upload-sarif@v3
+  #     with:
+  #       sarif_file: sanctify-results.sarif

admin/class-wpcm-admin.php

@@ -1,5 +1,8 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * Admin Interface Class
  *
  * Handles WordPress admin interface for the plugin
@@ -8,6 +11,8 @@
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

admin/class-wpcm-ajax.php

@@ -1,5 +1,8 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * AJAX Handlers Class
  *
  * Handles all AJAX requests from the admin interface
@@ -8,6 +11,8 @@
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

admin/class-wpcm-settings.php

@@ -1,5 +1,8 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * Settings Class
  *
  * Handles plugin settings and configuration
@@ -8,6 +11,8 @@
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

admin/views/dashboard.php

@@ -1,11 +1,16 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * Dashboard View
  *
  * @package WP_Plugin_Conflict_Mapper
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

admin/views/rankings.php

@@ -1,11 +1,16 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * Rankings View
  *
  * @package WP_Plugin_Conflict_Mapper
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

admin/views/reports.php

@@ -1,11 +1,16 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * Reports View
  *
  * @package WP_Plugin_Conflict_Mapper
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

admin/views/settings.php

@@ -1,11 +1,16 @@
 <?php
 /**
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ * SPDX-FileCopyrightText: 2025 Jonathan
+ *
  * Settings View
  *
  * @package WP_Plugin_Conflict_Mapper
  * @since 1.0.0
  */
 
+declare(strict_types=1);
+
 if (!defined('ABSPATH')) {
     exit;
 }

composer.json

@@ -44,16 +44,24 @@
             "WPCM\\Tests\\": "tests/"
         }
     },
+    "suggest": {
+        "hyperpolymath/php-aegis": "PHP 8.1+ security utilities for validation and sanitization (see docs/SECURITY-INTEGRATION.md)"
+    },
     "scripts": {
         "test": "phpunit",
         "test:coverage": "phpunit --coverage-html coverage",
         "lint": "phpcs --standard=WordPress --extensions=php --ignore=*/vendor/*,*/node_modules/* .",
         "lint:fix": "phpcbf --standard=WordPress --extensions=php --ignore=*/vendor/*,*/node_modules/* .",
         "stan": "phpstan analyse --level=5 includes/ admin/ wp-plugin-conflict-mapper.php",
+        "security": "phpstan analyse --level=6 includes/class-wpcm-security.php",
         "check": [
             "@lint",
             "@stan",
             "@test"
+        ],
+        "check:security": [
+            "@security",
+            "@stan"
         ]
     },
     "scripts-descriptions": {
@@ -62,7 +70,9 @@
         "lint": "Check code against WordPress coding standards",
         "lint:fix": "Automatically fix code style issues",
         "stan": "Run static analysis with PHPStan",
-        "check": "Run all checks (lint, static analysis, tests)"
+        "security": "Run security-focused static analysis",
+        "check": "Run all checks (lint, static analysis, tests)",
+        "check:security": "Run security-focused checks"
     },
     "config": {
         "allow-plugins": {